You’d think a bank would do better than this.


Bank of America, N.A.
101 South Tryon St., 8th Floor (email responses go there)
Charlotte, NC 28255-0001

LA | VL | LP | LV | LM (initials only; I am in possession of full names, called out in emails)

Bank of America allows customers to sign up for their Online Banking and email notifications, without confirming via an email loop that the customer has accurately provided, and/or the Bank of America CSR has accurately acquired, the customer’s proper and true email address.

Bank of America is one of the banks with which I have a relationship, which makes this post even more important. I’ve banked with them for a long time, and for the most part, they are pretty good about getting their systems down, but in this case, they’ve continued to fall down on the job.

I’ve received multiple email messages for each of several of their customers. Some are notices for mortgage payments due, account application updates, survey notices and so on. I, too, get these notices as a B of A customer, so I know what they look like, and I’m very aware (and wary) of phishing attempts.

Bank of America, as you’ll see in the evidence below, not only allows their customers to give them inaccurate email addresses, but they send out emails to their customers complete with their full names, email addresses and the last four digits of their account number. This is dangerous, as an attempt at social engineering is far easier with that information in hand than without.

Note that the actual customer’s name has been redacted, but I have that, as well as the last four digits of their account number.

Yes, but that would only stop the symptom, not the problem.

Yes [click for explanation]

I’ve contacted the Online Banking support team on numerous occasions, explained the issue, and have had both good and bad experiences with the CSR’s response. At no time have any of Bank of America’s representatives understood completely what I’ve explained, and given that the emails continue, nothing has been accomplished.

11/20/09: I searched online for the highest ranking security official within the Bank of America organization, former assistant director of the Criminal Investigative Division and former acting executive assistant director for Law Enforcement Services at the FBI, Chris Swecker, and called their Charlotte offices and asked for his office. They eventually gave me his voice mail. I left a clear voice mail as to why I was calling, with an explanation of the issues and what needed to be fixed.

No change

As you read this, I have received no response at all from anyone at Bank of America.

Leave a Reply

Your email address will not be published. Required fields are marked *